char *server_site_name;
char *client_site_name;
time_t current_time;
+ int tried_closest_dc;
} config;
/* info derived from the servers schema */
}
/********************************************************************
- Query for AD DC's. Transparently use sitename.
+ Query for AD DC's.
********************************************************************/
NTSTATUS ads_dns_query_dcs(TALLOC_CTX *ctx,
const char *realm,
+ const char *sitename,
struct dns_rr_srv **dclist,
int *numdcs )
{
NTSTATUS status;
- char *sitename = sitename_fetch();
status = ads_dns_query_internal(ctx, "_ldap", realm, sitename,
dclist, numdcs);
status = ads_dns_query_internal(ctx, "_ldap", realm, NULL,
dclist, numdcs);
}
- SAFE_FREE(sitename);
return status;
}
/********************************************************************
- Query for AD KDC's. Transparently use sitename.
+ Query for AD KDC's.
Even if our underlying kerberos libraries are UDP only, this
is pretty safe as it's unlikely that a KDC supports TCP and not UDP.
********************************************************************/
NTSTATUS ads_dns_query_kdcs(TALLOC_CTX *ctx,
const char *realm,
+ const char *sitename,
struct dns_rr_srv **dclist,
int *numdcs )
{
NTSTATUS status;
- char *sitename = sitename_fetch();
status = ads_dns_query_internal(ctx, "_kerberos", realm, sitename,
dclist, numdcs);
status = ads_dns_query_internal(ctx, "_kerberos", realm, NULL,
dclist, numdcs);
}
- SAFE_FREE(sitename);
return status;
}
Does DNS queries.
************************************************************************/
-static char *get_kdc_ip_string(char *mem_ctx, const char *realm, struct in_addr primary_ip)
+static char *get_kdc_ip_string(char *mem_ctx, const char *realm, const char *sitename, struct in_addr primary_ip)
{
- struct ip_service *ip_srv;
- int count, i;
+ struct ip_service *ip_srv_site;
+ struct ip_service *ip_srv_nonsite;
+ int count_site, count_nonsite, i;
char *kdc_str = talloc_asprintf(mem_ctx, "\tkdc = %s\n",
inet_ntoa(primary_ip));
return NULL;
}
- if (!NT_STATUS_IS_OK(get_kdc_list(realm, &ip_srv, &count))) {
- DEBUG(10,("get_kdc_ip_string: get_kdc_list failed. Returning %s\n",
- kdc_str ));
- return kdc_str;
+ /* Get the KDC's only in this site. */
+
+ get_kdc_list(realm, sitename, &ip_srv_site, &count_site);
+
+ for (i = 0; i < count_site; i++) {
+ if (ip_equal(ip_srv_site[i].ip, primary_ip)) {
+ continue;
+ }
+ /* Append to the string - inefficient but not done often. */
+ kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
+ kdc_str, inet_ntoa(ip_srv_site[i].ip));
+ if (!kdc_str) {
+ SAFE_FREE(ip_srv_site);
+ return NULL;
+ }
}
- for (i = 0; i < count; i++) {
- if (ip_equal(ip_srv[i].ip, primary_ip)) {
+ /* Get all KDC's. */
+
+ get_kdc_list(realm, NULL, &ip_srv_nonsite, &count_nonsite);
+
+ for (i = 0; i < count_nonsite; i++) {
+ int j;
+
+ if (ip_equal(ip_srv_nonsite[i].ip, primary_ip)) {
+ continue;
+ }
+
+ /* Ensure this isn't an IP already seen (YUK! this is n*n....) */
+ for (j = 0; j < count_site; j++) {
+ if (ip_equal(ip_srv_nonsite[i].ip, ip_srv_site[j].ip)) {
+ break;
+ }
+ /* As the lists are sorted we can break early if nonsite > site. */
+ if (ip_service_compare(&ip_srv_nonsite[i], &ip_srv_site[j]) > 0) {
+ break;
+ }
+ }
+ if (j != i) {
continue;
}
+
/* Append to the string - inefficient but not done often. */
kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
- kdc_str, inet_ntoa(ip_srv[i].ip));
+ kdc_str, inet_ntoa(ip_srv_nonsite[i].ip));
if (!kdc_str) {
- SAFE_FREE(ip_srv);
+ SAFE_FREE(ip_srv_site);
+ SAFE_FREE(ip_srv_nonsite);
return NULL;
}
}
- SAFE_FREE(ip_srv);
+
+ SAFE_FREE(ip_srv_site);
+ SAFE_FREE(ip_srv_nonsite);
DEBUG(10,("get_kdc_ip_string: Returning %s\n",
kdc_str ));
run as root or will fail (which is a good thing :-).
************************************************************************/
-BOOL create_local_private_krb5_conf_for_domain(const char *realm, const char *domain, struct in_addr ip)
+BOOL create_local_private_krb5_conf_for_domain(const char *realm, const char *domain,
+ const char *sitename, struct in_addr ip)
{
char *dname = talloc_asprintf(NULL, "%s/smb_krb5", lp_lockdir());
char *tmpname = NULL;
realm_upper = talloc_strdup(fname, realm);
strupper_m(realm_upper);
- kdc_ip_string = get_kdc_ip_string(dname, realm, ip);
+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, ip);
if (!kdc_ip_string) {
TALLOC_FREE(dname);
return False;
pstring realm;
BOOL got_realm = False;
BOOL use_own_domain = False;
+ char *sitename = sitename_fetch();
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
/* if the realm and workgroup are both empty, assume they are ours */
}
if ( !c_realm || !*c_realm ) {
+ SAFE_FREE(sitename);
DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n"));
return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
}
DEBUG(6,("ads_find_dc: looking for %s '%s'\n",
(got_realm ? "realm" : "domain"), realm));
- status = get_sorted_dc_list(realm, &ip_list, &count, got_realm);
+ status = get_sorted_dc_list(realm, sitename, &ip_list, &count, got_realm);
if (!NT_STATUS_IS_OK(status)) {
/* fall back to netbios if we can */
if ( got_realm && !lp_disable_netbios() ) {
if ( ads_try_connect(ads, server) ) {
SAFE_FREE(ip_list);
+ SAFE_FREE(sitename);
return NT_STATUS_OK;
}
}
SAFE_FREE(ip_list);
-
+
+ /* In case we failed to contact one of our closest DC on our site we
+ * need to try to find another DC, retry with a site-less SRV DNS query
+ * - Guenther */
+
+ if (sitename) {
+ DEBUG(1,("ads_find_dc: failed to find a valid DC on our site (%s), "
+ "trying to find another DC\n", sitename));
+ SAFE_FREE(sitename);
+ namecache_delete(realm, 0x1C);
+ goto again;
+ }
+
return NT_STATUS_NO_LOGON_SERVERS;
}
compare 2 ldap IPs by nearness to our interfaces - used in qsort
*******************************************************************/
-static int ip_service_compare(struct ip_service *ip1, struct ip_service *ip2)
+int ip_service_compare(struct ip_service *ip1, struct ip_service *ip2)
{
int result;
*********************************************************/
static BOOL resolve_ads(const char *name, int name_type,
+ const char *sitename,
struct ip_service **return_iplist, int *return_count)
{
int i, j;
}
if (name_type == KDC_NAME_TYPE) {
- status = ads_dns_query_kdcs(ctx, name, &dcs, &numdcs);
+ status = ads_dns_query_kdcs(ctx, name, sitename, &dcs, &numdcs);
} else {
- status = ads_dns_query_dcs(ctx, name, &dcs, &numdcs);
+ status = ads_dns_query_dcs(ctx, name, sitename, &dcs, &numdcs);
}
if ( !NT_STATUS_IS_OK( status ) ) {
talloc_destroy(ctx);
**********************************************************************/
BOOL internal_resolve_name(const char *name, int name_type,
+ const char *sitename,
struct ip_service **return_iplist,
int *return_count, const char *resolve_order)
{
*return_iplist = NULL;
*return_count = 0;
- DEBUG(10, ("internal_resolve_name: looking up %s#%x\n", name, name_type));
+ DEBUG(10, ("internal_resolve_name: looking up %s#%x (sitename %s)\n",
+ name, name_type, sitename ? sitename : NULL));
if (allzeros || allones || is_address) {
} else if(strequal( tok, "kdc")) {
/* deal with KDC_NAME_TYPE names here. This will result in a
SRV record lookup */
- if (resolve_ads(name, KDC_NAME_TYPE, return_iplist, return_count)) {
+ if (resolve_ads(name, KDC_NAME_TYPE, sitename, return_iplist, return_count)) {
result = True;
/* Ensure we don't namecache this with the KDC port. */
name_type = KDC_NAME_TYPE;
} else if(strequal( tok, "ads")) {
/* deal with 0x1c names here. This will result in a
SRV record lookup */
- if (resolve_ads(name, name_type, return_iplist, return_count)) {
+ if (resolve_ads(name, name_type, sitename, return_iplist, return_count)) {
result = True;
goto done;
}
BOOL resolve_name(const char *name, struct in_addr *return_ip, int name_type)
{
struct ip_service *ip_list = NULL;
+ char *sitename = sitename_fetch();
int count = 0;
if (is_ipaddress(name)) {
*return_ip = *interpret_addr2(name);
+ SAFE_FREE(sitename);
return True;
}
- if (internal_resolve_name(name, name_type, &ip_list, &count, lp_name_resolve_order())) {
+ if (internal_resolve_name(name, name_type, sitename, &ip_list, &count, lp_name_resolve_order())) {
int i;
/* only return valid addresses for TCP connections */
{
*return_ip = ip_list[i].ip;
SAFE_FREE(ip_list);
+ SAFE_FREE(sitename);
return True;
}
}
}
SAFE_FREE(ip_list);
+ SAFE_FREE(sitename);
return False;
}
return False;
}
- if (internal_resolve_name(group, 0x1D, &ip_list, &count, lp_name_resolve_order())) {
+ if (internal_resolve_name(group, 0x1D, NULL, &ip_list, &count, lp_name_resolve_order())) {
*master_ip = ip_list[0].ip;
SAFE_FREE(ip_list);
return True;
}
- if(internal_resolve_name(group, 0x1B, &ip_list, &count, lp_name_resolve_order())) {
+ if(internal_resolve_name(group, 0x1B, NULL, &ip_list, &count, lp_name_resolve_order())) {
*master_ip = ip_list[0].ip;
SAFE_FREE(ip_list);
return True;
BOOL get_pdc_ip(const char *domain, struct in_addr *ip)
{
- struct ip_service *ip_list;
- int count;
+ char *sitename = sitename_fetch();
+ struct ip_service *ip_list = NULL;
+ int count = 0;
/* Look up #1B name */
- if (!internal_resolve_name(domain, 0x1b, &ip_list, &count, lp_name_resolve_order())) {
+ if (!internal_resolve_name(domain, 0x1b, sitename, &ip_list, &count, lp_name_resolve_order())) {
+ SAFE_FREE(sitename);
return False;
}
+ SAFE_FREE(sitename);
+
/* if we get more than 1 IP back we have to assume it is a
multi-homed PDC and not a mess up */
a domain.
*********************************************************/
-static NTSTATUS get_dc_list(const char *domain, struct ip_service **ip_list,
+static NTSTATUS get_dc_list(const char *domain, const char *sitename, struct ip_service **ip_list,
int *count, enum dc_lookup_type lookup_type, int *ordered)
{
fstring resolve_order;
/* fetch the server we have affinity for. Add the
'password server' list to a search for our domain controllers */
- saf_servername = saf_fetch( domain );
+ saf_servername = saf_fetch( domain);
if ( strequal(domain, lp_workgroup()) || strequal(domain, lp_realm()) ) {
pstr_sprintf( pserver, "%s, %s",
DEBUG(10,("get_dc_list: no preferred domain controllers.\n"));
/* TODO: change return type of internal_resolve_name to
* NTSTATUS */
- if (internal_resolve_name(domain, 0x1C, ip_list, count,
+ if (internal_resolve_name(domain, 0x1C, sitename, ip_list, count,
resolve_order)) {
return NT_STATUS_OK;
} else {
p = pserver;
while (next_token(&p,name,LIST_SEP,sizeof(name))) {
if (strequal(name, "*")) {
- if (internal_resolve_name(domain, 0x1C, &auto_ip_list,
+ if (internal_resolve_name(domain, 0x1C, sitename, &auto_ip_list,
&auto_count, resolve_order))
num_addresses += auto_count;
done_auto_lookup = True;
SAFE_FREE(auto_ip_list);
return NT_STATUS_NO_LOGON_SERVERS;
}
- if (internal_resolve_name(domain, 0x1C, ip_list, count,
+ if (internal_resolve_name(domain, 0x1C, sitename, ip_list, count,
resolve_order)) {
return NT_STATUS_OK;
} else {
Small wrapper function to get the DC list and sort it if neccessary.
*********************************************************************/
-NTSTATUS get_sorted_dc_list( const char *domain, struct ip_service **ip_list, int *count, BOOL ads_only )
+NTSTATUS get_sorted_dc_list( const char *domain, const char *sitename, struct ip_service **ip_list, int *count, BOOL ads_only )
{
BOOL ordered;
NTSTATUS status;
enum dc_lookup_type lookup_type = DC_NORMAL_LOOKUP;
- DEBUG(8,("get_sorted_dc_list: attempting lookup using [%s]\n",
+ DEBUG(8,("get_sorted_dc_list: attempting lookup for name %s (sitename %s) "
+ "using [%s]\n",
+ domain,
+ sitename ? sitename : "NULL",
(ads_only ? "ads" : lp_name_resolve_order())));
if (ads_only) {
lookup_type = DC_ADS_ONLY;
}
- status = get_dc_list(domain, ip_list, count, lookup_type, &ordered);
+ status = get_dc_list(domain, sitename, ip_list, count, lookup_type, &ordered);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
Get the KDC list - re-use all the logic in get_dc_list.
*********************************************************************/
-NTSTATUS get_kdc_list( const char *realm, struct ip_service **ip_list, int *count)
+NTSTATUS get_kdc_list( const char *realm, const char *sitename, struct ip_service **ip_list, int *count)
{
BOOL ordered;
NTSTATUS status;
*count = 0;
*ip_list = NULL;
- status = get_dc_list(realm, ip_list, count, DC_KDC_ONLY, &ordered);
+ status = get_dc_list(realm, sitename, ip_list, count, DC_KDC_ONLY, &ordered);
if (!NT_STATUS_IS_OK(status)) {
return status;
create_local_private_krb5_conf_for_domain(realm,
domain,
+ sitename,
ads->ldap_ip);
}
#endif
/* get a list of all domain controllers */
- if (!NT_STATUS_IS_OK(get_sorted_dc_list(domain, &ip_list, &count,
+ if (!NT_STATUS_IS_OK(get_sorted_dc_list(domain, NULL, &ip_list, &count,
False))) {
DEBUG(3, ("Could not look up dc's for domain %s\n", domain));
return False;
DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
if (domain->primary && (ads->config.flags & ADS_KDC) && ads_closest_dc(ads)) {
+ char *sitename = sitename_fetch();
+
/* We're going to use this KDC for this realm/domain.
If we are using sites, then force the krb5 libs
to use this KDC. */
create_local_private_krb5_conf_for_domain(domain->alt_name,
domain->name,
+ sitename,
ip);
+ SAFE_FREE(sitename);
/* Ensure we contact this DC also. */
saf_store( domain->name, name);
saf_store( domain->alt_name, name);
}
if (sec == SEC_ADS) {
+ char *sitename = NULL;
+
/* We need to make sure we know the local site before
doing any DNS queries, as this will restrict the
get_sorted_dc_list() call below to only fetching
/* Find any DC to get the site record.
We deliberately don't care about the
return here. */
+
get_dc_name(domain->name, lp_realm(), dcname, &ip);
- /* Now do the site-specific AD dns lookup. */
- get_sorted_dc_list(domain->alt_name, &ip_list, &iplist_size, True);
+ sitename = sitename_fetch();
+
+ /* Do the site-specific AD dns lookup first. */
+ get_sorted_dc_list(domain->alt_name, sitename, &ip_list, &iplist_size, True);
+
+ for ( i=0; i<iplist_size; i++ ) {
+ add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
+ ip_list[i].ip, dcs, num_dcs);
+ }
+
+ SAFE_FREE(ip_list);
+ SAFE_FREE(sitename);
+ iplist_size = 0;
+
+ /* Now we add DCs from the main AD dns lookup. */
+ get_sorted_dc_list(domain->alt_name, NULL, &ip_list, &iplist_size, True);
+
+ for ( i=0; i<iplist_size; i++ ) {
+ add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
+ ip_list[i].ip, dcs, num_dcs);
+ }
}
/* try standard netbios queries if no ADS */
- if (iplist_size==0)
- get_sorted_dc_list(domain->name, &ip_list, &iplist_size, False);
+ if (iplist_size==0) {
+ get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size, False);
+ }
/* FIXME!! this is where we should re-insert the GETDC requests --jerry */
char *cp;
const char *realm = NULL;
BOOL tried_closest_dc = False;
- BOOL closest_dc = False;
- BOOL site_matches = False;
/* lp_realm() should be handled by a command line param,
However, the join requires that realm be set in smb.conf
return status;
}
- if (!need_password && !second_time) {
+ if (!need_password && !second_time && !(auth_flags & ADS_AUTH_NO_BIND)) {
need_password = True;
second_time = True;
goto retry;
* This is done by reconnecting to ADS because only the first call to
* ads_connect will give us our own sitename */
- closest_dc = (ads->config.flags & ADS_CLOSEST);
- site_matches = ads_sitename_match(ads);
-
- DEBUG(10,("ads_startup_int: DC %s closest DC\n", closest_dc ? "is":"is *NOT*"));
- DEBUG(10,("ads_startup_int: sitenames %s match\n", site_matches ? "do":"do *NOT*"));
-
if ((only_own_domain || !opt_host) && !tried_closest_dc) {
tried_closest_dc = True; /* avoid loop */
- if (!ads_closest_dc(ads)) {
+ if (!ads->config.tried_closest_dc) {
namecache_delete(ads->server.realm, 0x1C);
namecache_delete(ads->server.workgroup, 0x1C);
struct hostent *hostent;
struct dns_rr_srv *dcs = NULL;
int numdcs = 0;
+ char *sitename = sitename_fetch();
TALLOC_CTX *ctx;
NTSTATUS status;
if ( (ctx = talloc_init("net_lookup_ldap")) == NULL ) {
d_fprintf(stderr, "net_lookup_ldap: talloc_inti() failed!\n");
+ SAFE_FREE(sitename);
return -1;
}
DEBUG(9, ("Lookup up ldap for domain %s\n", domain));
- status = ads_dns_query_dcs( ctx, domain, &dcs, &numdcs );
+ status = ads_dns_query_dcs( ctx, domain, sitename, &dcs, &numdcs );
if ( NT_STATUS_IS_OK(status) && numdcs ) {
print_ldap_srvlist(dcs, numdcs);
TALLOC_FREE( ctx );
-
+ SAFE_FREE(sitename);
return 0;
}
DEBUG(9, ("Looking up DC for domain %s\n", domain));
if (!get_pdc_ip(domain, &addr)) {
TALLOC_FREE( ctx );
+ SAFE_FREE(sitename);
return -1;
}
AF_INET);
if (!hostent) {
TALLOC_FREE( ctx );
+ SAFE_FREE(sitename);
return -1;
}
domain = strchr(hostent->h_name, '.');
if (!domain) {
TALLOC_FREE( ctx );
+ SAFE_FREE(sitename);
return -1;
}
domain++;
DEBUG(9, ("Looking up ldap for domain %s\n", domain));
- status = ads_dns_query_dcs( ctx, domain, &dcs, &numdcs );
+ status = ads_dns_query_dcs( ctx, domain, sitename, &dcs, &numdcs );
if ( NT_STATUS_IS_OK(status) && numdcs ) {
print_ldap_srvlist(dcs, numdcs);
TALLOC_FREE( ctx );
-
+ SAFE_FREE(sitename);
return 0;
}
TALLOC_FREE( ctx );
-
+ SAFE_FREE(sitename);
return -1;
#endif
struct in_addr addr;
char *pdc_str = NULL;
const char *domain=opt_target_workgroup;
+ char *sitename = NULL;
int count, i;
if (argc > 0)
asprintf(&pdc_str, "%s", inet_ntoa(addr));
d_printf("%s\n", pdc_str);
- if (!NT_STATUS_IS_OK(get_sorted_dc_list(domain, &ip_list, &count, False))) {
+ sitename = sitename_fetch();
+ if (!NT_STATUS_IS_OK(get_sorted_dc_list(domain, sitename, &ip_list, &count, False))) {
SAFE_FREE(pdc_str);
+ SAFE_FREE(sitename);
return 0;
}
+ SAFE_FREE(sitename);
for (i=0;i<count;i++) {
char *dc_str = inet_ntoa(ip_list[i].ip);
if (!strequal(pdc_str, dc_str))